Do not allow non-admins to upload or delete cookbooks.

3 files changed, 30 insertions, 1 deletions

diff --git a/features/api/cookbooks/delete_cookbooks.feature b/features/api/cookbooks/delete_cookbooks.feature
index 1a08a2c0e2..951543193f 100644
--- a/features/api/cookbooks/delete_cookbooks.feature
+++ b/features/api/cookbooks/delete_cookbooks.feature
@@ -52,3 +52,10 @@ Feature: CRUD cookbooks
      When I 'DELETE' to the path '/cookbooks/testcookbook_nonexistent/1.2.3'
      Then I should get a '404 "Not Found"' exception
 
+  @delete_cookbook_negative @cookbook_non_admin
+  Scenario: I should not be able to delete cookbook if I am not an admin
+    Given I am an administrator
+     When I fully upload a sandboxed cookbook named 'testcookbook_valid' versioned '0.1.0' with 'testcookbook_valid'
+    Given I am a non-admin
+     When I 'DELETE' to the path '/cookbooks/testcookbook_valid/0.1.0'
+     Then I should get a '403 "Forbidden"' exception
diff --git a/features/api/cookbooks/upload_cookbooks.feature b/features/api/cookbooks/upload_cookbooks.feature
index a8562d1e4b..4856a94530 100644
--- a/features/api/cookbooks/upload_cookbooks.feature
+++ b/features/api/cookbooks/upload_cookbooks.feature
@@ -155,3 +155,22 @@ Feature: CRUD cookbooks
       And I have uploaded a frozen cookbook named 'testcookbook_valid' at version '0.1.0'
      When I upload a cookbook named 'testcookbook_valid' at version '0.1.0'
      Then I should get a '409 "Conflict"' exception
+
+  @create_cookbook_negative @cookbook_non_admin
+  Scenario: Should not be able to create a cookbook if I am not an admin
+    Given I am an administrator
+     When I create a sandbox named 'sandbox1' for cookbook 'testcookbook_valid'
+     Then the inflated responses key 'uri' should match '^http://.+/sandboxes/[^\/]+$'
+     Then I upload a file named 'metadata.json' from cookbook 'testcookbook_valid' to the sandbox
+     Then the response code should be '200'
+     Then I upload a file named 'metadata.rb' from cookbook 'testcookbook_valid' to the sandbox
+     Then the response code should be '200'
+     Then I upload a file named 'attributes/attributes.rb' from cookbook 'testcookbook_valid' to the sandbox
+     Then the response code should be '200'
+     Then I upload a file named 'recipes/default.rb' from cookbook 'testcookbook_valid' to the sandbox
+     Then the response code should be '200'
+     When I commit the sandbox
+     Then I should not get an exception
+    Given I am a non-admin
+     When I create a versioned cookbook named 'testcookbook_valid' versioned '0.1.0' with 'testcookbook_valid'
+     Then I should get a '403 "Forbidden"' exception
diff --git a/features/support/env.rb b/features/support/env.rb
index 8a2dfd1e66..4c40efc499 100644
--- a/features/support/env.rb
+++ b/features/support/env.rb
@@ -135,8 +135,11 @@ def create_databases
   Chef::Environment.create_default_environment
   system("cp #{File.join(Dir.tmpdir, "chef_integration", "validation.pem")} #{Dir.tmpdir}")
   system("cp #{File.join(Dir.tmpdir, "chef_integration", "webui.pem")} #{Dir.tmpdir}")
+  c = Chef::ApiClient.cdb_load(Chef::Config[:web_ui_client_name])
+  c.admin(true)
+  c.cdb_save
 
-  cmd = [KNIFE_CMD, "cookbook", "upload", "-a", "-o", INTEGRATION_COOKBOOKS, "-u", "validator", "-k", File.join(Dir.tmpdir, "validation.pem"), "-c", KNIFE_CONFIG]
+  cmd = [KNIFE_CMD, "cookbook", "upload", "-a", "-o", INTEGRATION_COOKBOOKS, "-u", Chef::Config[:web_ui_client_name], "-k", File.join(Dir.tmpdir, "webui.pem"), "-c", KNIFE_CONFIG]
   Chef::Log.info("Uploading fixture cookbooks with #{cmd.join(' ')}")
   cmd << {:timeout => 120}
   shell_out!(*cmd)